Presentation is loading. Please wait.

Presentation is loading. Please wait.

Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp

Similar presentations


Presentation on theme: "Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp"— Presentation transcript:

1 Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp

2 Background First foray into MFA (2009) – system administrators only –Solution had to support Windows & Linux –Investigated a few vendors. Went with Aladdin (now Safenet) –Dual role tokens Used PKI environment for smartcard component – Windows –Created secondary accounts for system access. Accounts configured in AD for ‘Smart card is required for interactive logon’ Used radius connections for OTP verification - Linux

3 Background - Deployment Standard token deployment –Started with internal IT –Expanded to additional admins –Eventually made mandatory for all system administrators in central IT Normal feedback –Admins did not like relying on token –Plenty of ‘what-if’ scenarios Currently have 300+ admins with tokens

4 Background - Issues We allowed admins to create their own secondary accounts –Major mistake –No centralized management, reporting, monitoring, etc. Issues with certain *Nix flavors connecting to radius Standard token issues –Broken –Lost

5 Next up – MFA for Users Johns Hopkins uses CA SiteMinder as their primary WebSSO platform –Don’t worry – we have a large Shibboleth deployment too Investigated two primary solutions –CA Riskminder / Authminder –SecureAuth Focused more on risk analysis aspects of solution vs. second factor authentication options Use-case driving need was VPN protection

6 MFA for Users – Take 2 Decided to purchase Authminder / Riskminder solution –Ended up scrapping the product due to multiple incompatibility issues not found in proof-of-concept Used lessons learned from project to develop in-house risk based analysis solution called Enterprise Step-up Authentication (ESA) –We’ll get into more detail in a minute First MFA options –SMS OTP –Safenet OTP –Secret Questions and Answers

7 ESA - Risk Analysis On Login Page –Browser/Device Fingerprint built and passed along to risk analysis engine –https://github.com/Valve/fingerprintjshttps://github.com/Valve/fingerprintjs After successful ID/PW Verification, Check: –Tables with User / Device / IP blocked/untrusted/allowed –User / Device velocity checks (how many attempts in an hour) –Geolocation (Current IP vs Last IP) Freegeoip.net –Device / User profile matching (Have we seen this pair before?) Exact Match versus Close Match

8 ESA – Levels of Protection Standard –90% of our WebSSO sites –Risk Only checks. No MFA unless high risk determined Step-up –Require step-up authentication if new device / user combination –Save information for 60 days Always Step-up –Primarily for IT Admin sites –Require step-up even if device / user combination is found

9 MFA for Users – What’s Next? Production Beta of TOTP using Google Authenticator –Many users have short code SMS blocked –Out of the country / no cell coverage / etc. Expanding radius offering to support TOTP –Allow system admins to use Google Authenticator instead of Safenet token Adding a web service component to ESA –Allow for check of client after authentication Improving self-service –Creating a myIT page for users and system admins to manage information about their IT profile

10 Demonstration


Download ppt "Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp"

Similar presentations


Ads by Google